[SECURITY] IcedTea 2.6.26 for OpenJDK 7 Released!

Andrew Hughes gnu_andrew at member.fsf.org
Mon Jul 5 20:09:04 UTC 2021

The IcedTea project provides a harness to build the source code from
OpenJDK using Free Software build tools, along with additional
features such as the ability to build against system libraries and
support for alternative virtual machines and architectures beyond
those supported by OpenJDK.

This release updates our OpenJDK 7 support in the 2.6.x series with
the April 2021 security fixes from OpenJDK 7u301.

If you find an issue with the release, please report it to our bug
database (http://icedtea.classpath.org/bugzilla) under the appropriate
component. Development discussion takes place on the distro-pkg-dev at
openjdk.java.net mailing list and patches are always welcome.

Full details of the release can be found below.

What's New?
New in release 2.6.26 (2021-07-05):

* Security fixes
  - JDK-8244473: Contextualize registration for JNDI
  - JDK-8244543: Enhanced handling of abstract classes
  - JDK-8249906, CVE-2021-2163: Enhance opening JARs
  - JDK-8250568, CVE-2021-2161: Less ambiguous processing
  - JDK-8253799: Make lists of normal filenames
* Import of OpenJDK 7 u301 build 1
  - JDK-8035166: Remove dependency on EC classes from pkcs11 provider
  - JDK-8202343: Disable TLS 1.0 and 1.1
  - JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
  - JDK-8258247: Couple of issues in fix for JDK-8249906
  - JDK-8259048: (tz) Upgrade time-zone data to tzdata2020f
  - JDK-8259428: AlgorithmId.getEncodedParams() should return copy
  - JDK-8260356: (tz) Upgrade time-zone data to tzdata2021a
  - JDK-8261183: Follow on to Make lists of normal filenames
* Backports
  - JDK-8167409, PR3840: Invalid value passed to critical JNI function
* AArch64 port
  - PR3840: Backport cleanup changes from upstreaming AArch64 port to 8u
  - JDK-8078521, PR3840: AARCH64: Add AArch64 SA support
  - JDK-8136596, PR3840: Remove aarch64: MemBarRelease when final field's allocation is NoEscape or ArgEscape
  - JDK-8163363, PR3840: AArch64: Stack size in tools/launcher/Settings.java needs to be adjusted
  - JDK-8248336, PR3840: AArch64: C2: offset overflow in BoxLockNode::emit
  - JDK-8260930, PR3840: AArch64: Invalid value passed to critical JNI function
  - JDK-8263008, PR3840: AARCH64: Add debug info for libsaproc.so

The tarballs can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.26.tar.gz
* http://icedtea.classpath.org/download/source/icedtea-2.6.26.tar.xz

We provide both gzip and xz tarballs, so that those who are able to
make use of the smaller tarball produced by xz may do so.

The tarballs are accompanied by digital signatures available at:

* http://icedtea.classpath.org/download/source/icedtea-2.6.26.tar.gz.sig
* http://icedtea.classpath.org/download/source/icedtea-2.6.26.tar.xz.sig

These are produced using my public key. See details below.

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

GnuPG >= 2.1 is required to be able to handle this key.

SHA256 checksums:

96ad19258063f28e02a6984e2c004d72896e15c0fe46fd6105d20fab5f8e4a62  icedtea-2.6.26.tar.gz
68f131e14ab34485baa3157e9f391f33e6fa109a6bafc60c36fa04ca62dfd6dc  icedtea-2.6.26.tar.gz.sig
5b4ce4897b2163420e076c258f8fa46631d3efaad3dd385d61b1656eae0ae6ee  icedtea-2.6.26.tar.xz
39e9718d30ea1a4379120a0beca3f2c4f7f367edc1f0746b89da7ca38522e341  icedtea-2.6.26.tar.xz.sig

The checksums can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-2.6.26.sha256

The following people helped with these releases:

* Andrew Hughes (all backports & bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.6.26.tar.gz


$ tar x -I xz -f icedtea-2.6.26.tar.xz


$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.6.26/configure
$ make

Full build requirements and instructions are available in the INSTALL file.

Happy hacking!
Andrew :)
Pronouns: he / him or they / them
Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20210705/7b0d92c3/signature.asc>

More information about the distro-pkg-dev mailing list